Difference between revisions of "Summerschool Aachen 2004/Hacking the Web Presentation"

From C4 Wiki
Jump to: navigation, search
(spam)
Line 1: Line 1:
The changing faces of Technology:
+
==Presentation Summary==
  
A category of hardware and software that enables people to use the Internet as the transmission medium for telephone calls. For users who have free, or fixed-price Internet access, Internet telephony software essentially provides free telephone calls anywhere in the world. To date, however, Internet telephony does not offer the same quality of telephone service as direct telephone connections.  
+
===Webapplications===
There are many Internet telephony applications available. Some, like CoolTalk and NetMeeting, come bundled with popular Web browsers. Others are stand-alone products. Internet telephony products are sometimes called IP telephony, Voice over the Internet (VOI) or Voice over IP (VOIP) products.
+
* traditional weak security
Interent Technology Links:
+
* use simple ssl proxy to work with https like http
 +
    socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
 +
    socat - tcp4:localhost:8888
 +
    socat - openssl:www.ccc.de:443
 +
* install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
 +
* popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins
  
[[http://www.software-engine.org/ | software]]
+
===PHP===
[[http://www.datasol.org/ | Data Recovery]]
+
* pushes externally defined global vars (get/post) to namespace (register_globals)
[[http://www.wifi-planet.org/ |WIFI]]
+
* unsecure use of eval function (unchecked vars)
[[http://www.voip-guide.org/internet-telephony.php | Internet Telephony]]
+
* PAPER Study in Scarlet
[[http://www.software-engine.org/bpo-software.php | BPO]]
+
* Path filters are often os dependent
[[http://www.voip-guide.org/ | VoIP]]
+
* .inc files may not be protected by the webserver against reading (password disclosure)
[[http://www.ebusiness-cards.org/ | business cards]]
+
* .inc files may be renamed to .inc.php, executing a config file, remote require problem
[[http://www.secure-network.info/firewall.php | firewall]]
+
* execute arbitrary php files by namespace pollution (via query string vars)
[[http://www.globalflights.org/ | flights]]
+
* upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
[[http://www.ecar-rentals.com/ | car rental]]
+
* may execute uploaded php files with xss (javascript)
[[http://www.secure-network.info | network security]]
+
* insert php code into apache log file, then make the server exec the log file as php
[[http://www.cruise-guide.org/ | cruises]]
+
* strings get converted to integer ('000'=0, but '000'!='0')
[[http://www.wedding-knot.com/ | wedding]]
+
* php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
[[http://www.corporategifts-guide.com/ | corporate gifts ]]
+
* older versions, accept <script> as session_id and reproduced in every link
[[http://www.globalflights.org/cheap-flights.php | cheap flights]]
+
 
[[http://www.software-engine.org/anti-virus-software.php | antivirus software]]
+
===Source Disclosure===
[[http://www.ebackground-checks.com/background-checks.php | Background Checks]]
+
* by changing filename casing to confuse handlers
 +
* encode url, i.e.: . -> %2e
 +
* double encode
 +
* insert space, + after filename
 +
* use helper or demo handlers to retrieve source
 +
* changing hidden fields may allow spamming, file creation, etc.
 +
* sessions/cookies may not check if Sessionid corresponds to a given username
 +
* password disclosure in referer urls via query string
 +
* XUser Surfing, use valid session to access other users data
 +
* XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
 +
* found in the webtree, .mdb files,  .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~
 +
 
 +
===SQL Injection===
 +
* xp_cmdshell executes commands on server (tftp i.e.)
 +
** sa account may not be password protected, disabled but not deleted...  
 +
** tool sqlat ?
 +
* make conditions always eval to true (1=1,a'='a')
 +
* php magic_quotes help against injection, but affects all sql commands
 +
* use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
 +
* hiding error messages does not help against injection (blind sql injection)
 +
* use UNION in injected SQL to get at more interesting tables
 +
** use substring/etc. to get mysql.user passwords (char by char)
 +
** first column = 1 if char isn't guessed correct
 +
** binary search < 'a' is more efficient
 +
* if user can control some response header field 'header splitting' is possible (xss)
 +
 
 +
===Top10 (OWASP)===
 +
* Unvalidated Input
 +
* Broken Access Control
 +
* Broken Authentication and Session Management
 +
* Cross Site Scripting
 +
* Buffer Overflow
 +
* Injection Flaws
 +
* Improper Error Handling
 +
* Insecure Storage
 +
* Denial of Service
 +
* Insecure Configuration Management
 +
 
 +
 
 +
===Links===
 +
http://del.icio.us/peter_hacker/web
 +
 
 +
[[Category:Summerschools]]

Revision as of 19:32, 27 April 2005

Presentation Summary

Webapplications

  • traditional weak security
  • use simple ssl proxy to work with https like http
   socat tcp-l:8888,reuseaddr,bind=127.0.0.1,fork openssl:www.ccc.de:443
   socat - tcp4:localhost:8888
   socat - openssl:www.ccc.de:443
  • install the webapplication on a local pc, add --log=/tmp/log to your sql server to see queries
  • popular attack proxies: Burp Proxy, @stake Webproxy, WebScarab, Pharos, Spike, Firefox Plugins

PHP

  • pushes externally defined global vars (get/post) to namespace (register_globals)
  • unsecure use of eval function (unchecked vars)
  • PAPER Study in Scarlet
  • Path filters are often os dependent
  • .inc files may not be protected by the webserver against reading (password disclosure)
  • .inc files may be renamed to .inc.php, executing a config file, remote require problem
  • execute arbitrary php files by namespace pollution (via query string vars)
  • upload may allow to upload php files, may allow upload to arbitrary locations in servers file system via '..'
  • may execute uploaded php files with xss (javascript)
  • insert php code into apache log file, then make the server exec the log file as php
  • strings get converted to integer ('000'=0, but '000'!='0')
  • php sessions are generated in /tmp, local users may access these, session id encoded in filename, session data inside file
  • older versions, accept <script> as session_id and reproduced in every link

Source Disclosure

  • by changing filename casing to confuse handlers
  • encode url, i.e.: . -> %2e
  • double encode
  • insert space, + after filename
  • use helper or demo handlers to retrieve source
  • changing hidden fields may allow spamming, file creation, etc.
  • sessions/cookies may not check if Sessionid corresponds to a given username
  • password disclosure in referer urls via query string
  • XUser Surfing, use valid session to access other users data
  • XSS, push code to users browsers via modified links containing javascript and steal cookies, etc
  • found in the webtree, .mdb files, .sql backups, WS_FTP.log, .DS_STORE, .cvs, .bak, file~

SQL Injection

  • xp_cmdshell executes commands on server (tftp i.e.)
    • sa account may not be password protected, disabled but not deleted...
    • tool sqlat ?
  • make conditions always eval to true (1=1,a'='a')
  • php magic_quotes help against injection, but affects all sql commands
  • use prepare before executing statements to secure your code (exec "SELECT * from bla where a='%s'",param)
  • hiding error messages does not help against injection (blind sql injection)
  • use UNION in injected SQL to get at more interesting tables
    • use substring/etc. to get mysql.user passwords (char by char)
    • first column = 1 if char isn't guessed correct
    • binary search < 'a' is more efficient
  • if user can control some response header field 'header splitting' is possible (xss)

Top10 (OWASP)

  • Unvalidated Input
  • Broken Access Control
  • Broken Authentication and Session Management
  • Cross Site Scripting
  • Buffer Overflow
  • Injection Flaws
  • Improper Error Handling
  • Insecure Storage
  • Denial of Service
  • Insecure Configuration Management


Links

http://del.icio.us/peter_hacker/web